Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler
- Severity:
- Medium
Description
Summary
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground’s OAuth callback handler. The error_description query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim’s session.
Recommendation
Update the agents package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.10
- Patched version(s): 0.3.10
References
Related Issues
- Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site - Vulnerability
- CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
- mailparser vulnerable to Cross-site Scripting - CVE-2026-3455
- Astro development server error page is vulnerable to reflected Cross-site Scripting - CVE-2025-64745
- Tags:
- npm
- agents
Anything's wrong? Let us know Last updated on February 13, 2026